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We look at the operational semantics of languages with interactive I/O through the glasses of con- 
structive type theory. Following on from our earlier work on coinductive trace-based semantics 
for While ifTTIl , we define several big-step semantics for While with interactive I/O, based on re- 
sumptions and termination-sensitive weak bisimilarity. These require nesting inductive definitions 
in coinductive definitions, which is interesting both mathematically and from the point-of-view of 
implementation in a proof assistant. 

After first defining a basic semantics of statements in terms of resumptions with explicit internal 
actions (delays), we introduce a semantics in terms of delay-free resumptions that essentially removes 
finite sequences of delays on the fly from those resumptions that are responsive. Finally, we also look 
at a semantics in terms of delay-free resumptions supplemented with a silent divergence option. This 
semantics hinges on decisions between convergence and divergence and is only equivalent to the 
basic one classically. We have fully formalized our development in Coq. 



1 Introduction 

Interactive programs are those programs that take inputs, do some computation, output results, and iterate 
this cycle possibly infinitely. Operating systems and data base systems are typical examples. They are 
important programs and have attracted formal study to guarantee their correctness/safety. For instance, 
a web application should protect confidentiality of the data it processes in interaction with possibly 
untrusted agents, and a certified compiler should preserve input/output behavior of the source program 
in the compiled code. These works call for formal semantics of interactive programs. 

Continuing our previous work IfTTIl on a trace-based coinductive big-step semantics for potentially 
nonterminating programs, we present a constructive account of interactive input-output resumption^, 
their important properties, such as weak bisimilarity and responsiveness (a program always eventually 
performs input or output unless it terminates) and big-step semantics of reactive programs. We devise 
both constructive-style and classical-style concepts and identify their relationships. Classical-style con- 
cepts rely on upfront decisions of whether a computation is going to terminate, make an observable 
action, i.e., perform input or output, or silently diverge. The problem is generally undecidable. Hence, 
classical-style concepts tend to be too strong for constructive reasoning. 

Our operational semantics are resumption-based. A resumption is roughly a tree representing pos- 
sible runs of a program. The tree branches on inputs, each edge corresponding to each possible input, 
and has infinitely deep paths if the program may diverge. We begin the paper by formalizing important 
properties of resumptions, among which (termination-sensitive) weak bisimilarity is the most interesting 

'The word 'resumption' is sometimes reserved for denotations of parallel threads. We apply it more liberally to datastruc- 
tures recording evolution in small steps. This usage dates back to Plotkin 1 20 1 and was reinforced by Cenciarelli and Moggi 1 5 1 . 
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one technically, requiring nesting of induction into coinduction. We give a constructive-style formula- 
tion of weak bisimilarity and relate it to the classical-style version adapted from previous work lTT3l l3Tl. 
We then present three big-step semantics for interactive While, i.e., While extended with input/output 
statements: a basic semantics which explicitly deals with internal actions (delay steps) and assigns a 
resumption for all configurations (statement-state pairs); a delay-free semantics for responsive configu- 
rations; and a classical-style semantics, which is total classically for all configurations. The two latter 
semantics collapse finite sequences of delay steps on the fly. The classical-style semantics can in addi- 
tion recognize silent divergence; classical-style resumptions include a distinguished element to represent 
divergence. Moreover, all three semantics are equivalent under suitable assumptions. Our approach with 
big-step semantics in terms of resumptions allow for reasoning about operational behaviors of programs 
in a syntax-independent way. We therefore argue that it is more abstract than approaches by means of 
small-step semantics, or labelled transition systems (in terms of configurations involving a residual pro- 
gram or a control point). To compare our big-step semantics to more traditional approaches, we also 
define an uncontroversial small-step semantics with an associated notion of weak bisimilarity of config- 
urations and show that it agrees with our basic big-step semantics. These technical results form the main 
contributions of the paper. 

Why do we want to be constructive? First, let us state that our choice is neither motivated nor 
depends on any argument of truth: we are not claiming in this paper that classical logic is less true 
than intuitionistic logic and none of the points we make hinge on this being the case. Nevertheless, we 
do think that working in a constructive logic is very useful also if one has no philosophical problem 
in accepting non-constructive arguments. Our reasons are these. For us, using constructive logic is 
primarily a technical way to be conscious about the principles we depend on in our arguments. We are 
by no means limiting ourselves: when we really need some non-constructive principle in a constructive 
argument, we can always explicitly assume this principle (or the specific instance that we need). But 
it so happens that a need for unexpectedly strong principles is often a sign of some imperfect design 
choice in the setup of a theory. Another reason to be constructive as a semanticist is that programming 
is about computable functions only. In constructive logic, we do not have to specifically worry about 
computability: only computable functions are there and can be spoken about. For example, the formula 
Vx.px V -<(px) is not a tautology, it states that p is a decidable: there is a computable function mapping 
any x to a proof of px or a proof of ->(px) (so also to yes or no, should one not care about the proofs). 
In big-step semantics, although we specify evaluation as a relation in this paper, it is important for us 
that it can be turned into a function, or else we do not capture the intuitive idea that programs represent 
computable functions from initial configurations into behaviors. 

We have formalized the development in Coq version 8.2pll. This gives us greater confidence in the 
correctness of our reasoning, in particular regarding the productivity of coinductive proofs, since the 
type checker of Coq helps us avoid mistakes by ruling out improductivity. We rely on Mendler-style 
coinduction to circumvent the limitations imposed by syntactic guardedness approach Q of Coq. The 
Coq development is available at |nttp : //cs . ioc . ee/~keiko/sophie . tgz| 

The language we consider is the While language extended with input and output primitives, with 
statements s : stmt defined inductively by 

s '.'.= skip | sq\s\ I x := e | if e then s t else Sf | while e dos t | input x | output e 

We assume given the sets of variables and (pure) expressions, whose elements are ranged over by 
metavariables x and e respectively. We assume the set of values to be the integers, non-zero integers 
counting as truth and zero as falsity. The metavariable v ranges over values. A state, ranged over by a, 
maps variables to values. The notation crfiH- v] denotes the update of a state a with v at x. We assume 
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given an evaluation function [e](J, which evaluates e in the state a. We write o \= e and o \£ eto denote 
that e is true, resp. false in a. 

2 Resumptions 

We will define operational semantics of interactive While in terms of states and (interactive input-output) 
resumptions. Informally, a resumption is a datastructure that captures all possible evolutions of a config- 
uration (a statement-state pair), a computation tree branching according to the external non-determinism 
resulting from interactive inputH 

Basic (delayful) resumptions r : res are defined coinductively by the rule^l 

a : state f : Int ~± res v.Int r: res r : res 



ret (7 : res in f : res out v r : res 8 r : res 

so a resumption either has terminated with some final state, ret a, takes an integer input v and evolves 
into a new resumption / v, in f, outputs an integer v and evolves into r, out v r, or performs an internal 
action (observable at best as a delay) and becomes r, 8 r. For simplicity, we assume input totality; i.e., 
input resumptions, represented by total functions, accept any integers. But we could instead have had 
them partial, e.g., by letting the constructor in take the intended domain of definedness as an additional 
argument. We also define (strong) bisimilarity of two resumptions, r « r*, coinductively by 

Vv-fv~f* v i-wr, r^r t 

ret <7 ~ ret <7 in f « in /* out v r « out v r* 8 r w 5 

Bisimilarity is straightforwardly seen to be an equivalence. We think of bisimilar resumptions as equal, 
i.e., type-theoretically we treat resumptions as a setoid with bisimilarity as the equivalence relatiorQ 
Accordingly, we have to make sure that all functions and predicates we define on resumptions are setoid 
functions and predicates, i.e., insensitive to bisimilarity. 

Here are some examples of resumptions, defined by corecursion: 

1 = S± 

rep n = 8 (8 (out n (rep n))) 

rep' n = 8 (out n (rep' n)) 

echo o = in (Xn. 8 (if n^O then out n (echo o) else ret a)) 

echo' = in (Xn. 8 (if n^O then out n echo' else _L)) 

JL represents a resumption that silently diverges, rep outputs an integer n forever, rep' is similar but has 
shorter latency. Both echo and echo' echo input interactively; the former terminates when the input is 0, 
whereas the latter diverges in this situation. 

Convergence, r j. r 1 , states that r converges in a finite number of steps to a resumption r 1 , which 
has terminated or makes an observable action (performs input/output) as its first move. It is defined 
inductively by 

\/v.fv~f* v rwr* rjr 1 

ret a I ret a in f J. in /* out v r J, out vr» 8 r J, r 1 



2 There are alternatives. We could have chosen to work, e.g., with functions from streams of input values into traces, i.e., 
computation paths. 

3 We mark inductive definitions by single horizontal rules and coinductive definitions by double horizontal rules. 

4 Classically, strong bisimilarity is equality. But we work in an intensional type theory where strong bisimilarity of colists is 
weaker than equality (just as equality of two functions on all arguments is weaker than equality of these two functions). E.g., 
_L and S _L are only strongly bisimilar. 
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In contrast, divergence, r~[, states that r diverges silently. It is defined coinductively by 

rt 

For instance, we have 5 (<5 (re? a)) 4- re* o, rep n J. out n (rep n) and _l_t- 

Both convergence and divergence are setoid predicates. Constructively, it is not the case that Vr. (3r' . r | 
r J ) V r\, which amounts to decidability of convergence. But classically, this dichotomy is true. In partic- 
ular, Vr. -i (3r'. r | r 1 ) — s- rf is constructively provable, but Vr. -> rf — >■ 3r'. r 4- r' holds only classically. 

We can now introduce a useful notion of responsiveness. A resumption r is responsive, if it keeps 
converging. It is defined coinductively with the help of the convergence predicate by 

r I ret a r^inf Vv. (/ v) r \. out v r' r 1 JJ. 

_= [resp . ret ] ^ [ reS p.in] ^ [ res P" out ] 

For instance, rep n, rep 1 n and echo a are responsive, but _L and echo' are not. 

Classically, a resumption is responsive, if it can never evolve into a diverging resumption. Indeed, by 
augmenting the definition of responsiveness with a divergence option we obtain a classically tautological 
predicate, r§, that we call commitedness. 

r | ret a r^inf Vv.(/v)ft rioutvr' r 7 ^ r| 

. comm-ret . comm-in . comm-out = comm-div 

r§ r$ r$ r$ 

For a resumption r to be committed, it must be the case that it always either converges or diverges. So, 
classically, any resumption is committed. 

Lemma 2.1 Classically, for all r, r§. 

Proof Specifically, we use an instance of excluded middle, Vr. (3r'. r | r') V -i(3r'. r | r'), which amounts 
to assuming that convergence is decidable. □ 

Lemma 2.2 Convergence, divergence, responsiveness and committedness are setoid predicates. 



3 Weak Bisimilarity 

Two resumptions are weakly bisimilar, if they are bisimilar modulo collapsing finite sequences of delay 
steps between observable actions. It is conceivable that, in practice, weak bisimilarity is what is needed: 
one may well be interested only in observable behavior, disregarding finite delays. For instance, to 
guarantee correctness of a compiler optimization, we would want to prove that the optimization does not 
change the observable behavior of the source program, including termination and divergence behaviors, 
but the optimized code may perform fewer internal steps and thus be faster. We therefore formalize 
termination-sensitive weak bisimilarity, which distinguishes termination and silent divergence. 

Technically, getting the definition of weak bisimilarity right is not straightforward, especially not in 
a constructive setting. It requires both induction and coinduction: we need to collapse & finite number of 
delay steps between observable actions possibly infinitely. Here we present two equivalent formulations 
(actually, we will also give a third one for classical reasoning, which is only equivalent to the first two 
classically). The first is closer to the formulations typically found in process calculi literature (except that, 
in process calculi, one usually works with termination-insensitive weak bisimilarity). The second nests 
induction into coinduction, exhibiting a useful technique for implementation in Coq. In our development, 
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we use both formulations and their equivalence result, freely choosing the one of the two that facilitates 
the proof. 

The first one, noted r = r*, uses coinduction atop the inductive definition of convergence and is 
defined by the rules 

r I ret a r* \. ret a r \. in f r* \. in /* Vv. / V = /* V r \. out v r 1 r* \. out v/, r 1 = r 1 ^ r = r* 
r = r* r = r* r = 8 r= 8 r* 

so two resumptions are weakly bisimilar if they converge at the same action or can both perform an 
internal action, with weakly bisimilar residual resumptions. In particular, two terminating resumptions 
are derived to be weakly bisimilar by a single application of the first rule, whereas two silently diverging 
resumptions are weakly bisimilar by corecursive application of the fourth rule. For instance, we have 
rep n = rep' n but echo O = echo' does not hold. 

Lemma 3.1 For any r, r' and r*, ifr^r 1 and r* f then -t r = r*. 

As a corollary, we obtain that the silently diverging resumption _L and resumptions that have terminated, 
ret o, are not weakly bisimilar. 

The second formulation, denoted r=° r* nests induction into coinduction. We first define \.X\, induc- 
tively in terms of X, for any relation (read: setoid relation) X, and then define =° coinductively in terms 
of 4=°|. For binary relations X,Y,X <^Y denotes \/x,x*.xX x* ->iFi„. 

rX u Vv.fvXf* v rjXjr t rjXjr* 

ret a -\X -I ret a out v r\X -lout v in f ' \X\-in /* 8 r^X-lr* r^X^S r* 
XC^° rjXjr, r - r. 
r^°r* Sr=°Sr* 

Intuitively, rlX^r* means that r and r* converge to resumptions related by X. 

In the first rule of =°, we have used Mendler-style coinduction in order to enable Coq's syntactic 
guarded corecursion for =°. The natural (Park-style) rule to stipulate would have been: 

r=°r* 

Coq's guardedness condition for induction nested into coinduction is too weak to work with the Park- 
style rule: we cannot construct the corecursive functions (coinductive proofs) that we need. With our 
definition, the Park-style rule is derivable. We can also prove that IX], is monotone in X, which allows 
us to recover the natural inversion principle for =°. 

Induction and coinduction can be mixed in several ways. An inductive definition can be mutual with 
a coinductive definition, if the occurrence of one predicate in the definition of the other is contravariantj^] 
But this is not our situation. Instead, in our case, we have an inductive and a coinductive definition that 
use each other covariantly, but one is nested in the other. Specifically, we have the inductive definition 
nested in the coinductive definition^, since we want finite chunks of i=°i derivations to be weaved 
into an infinite =° derivation. The Agda developer community is currently exploring a novel approach to 
coinductive types (based on suspension types) (6l|7l where this form of mixing induction and coinduction 
is easily encoded while nesting the other way is problematic. 

The two definitions of weak bisimilarity are equivalent. 

5 This means looking for a least X and greatest Y solving a system of equations X = F(Y,X), Y = G(X,Y), where F and G 
are contravariant in their first arguments and covariant in the second arguments. 

6 i.e., we have a definition of the form vX. G([lY.F(X,Y),X) with both F and G covariant in both arguments 
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Lemma 3.2 For any r and r*, r = r* iffr=° r*. 

Weak bisimilarity is a setoid predicate and an equivalence relation. 

Lemma 3.3 Weak bisimilarity is a setoid predicate: For any r, r', r*, r^, if r sa r 1 , r=r* and r* m r' t , 
then r 1 = r^. Weak bisimilarity is an equivalence. 

Proof Reflexivity and symmetry are straightforward to prove by coinduction. Below we sketch the proof 
for transitivity with the second formulation, r=°f-„ to show Mendler-style coinduction working in our 
favour. For binary relations X , Y, let X o Y denote their composition; namely, x (X o Y )xf if there is x" such 
that xXx" and x"Y x' . We first prove, by induction, the transitivity for \X\., i.e., that, for any resumptions 
ro,n,r2 and setoid relations X,Y, if ro \X\.ri and r\ |F|r2, then rol(X oY)\.r2. The transitivity of =° 
states that, for any resumptions ro,n and r%, if ro =° r\ and r\ =° r 2 , then ro =° rj. The proof of this is 
by coinduction and inversion on ro =° r\ and ri =° r2. We show the main case. Suppose we have ro =° r\ 
and r\ =° r 2 , because r and r x |F|r 2 for some X and Y such that X C =° and Y C =°. By the 

transitivity of JJfJ, (which was proved by induction separately above), we obtain ro \X o Y \ r r 2 . Using the 
coinduction hypothesis, we have X oY C =° o =° C =°, which closes the case. Notably, the invocation 
of the coinduction hypothesis here is properly guarded thanks to our use of Mendler's trick. □ 
As one should expect, strongly bisimilar resumptions are weakly bisimilar. 

Corollary 3.1 For any r, r*, r ~ r*, then r = r*. 

Proof Immediate from = being a reflexive setoid predicate. □ 
Termination-sensitive bisimilarity has previously been considered by Kucera and Mayr lfT3l and 
Bohannon et al. Q (but see also Bergstra et al. CQ). Their version is best suited for classical reasoning 
in the sense that terminating and silently diverging resumptions are distinguished by an upfront choice 
between convergence and divergence. This version of weak bisimilarity, denoted r = c r + , is defined 
coinductively by 

r I ret a r^^reto r^outvr 1 4- out v r£ r 1 ^ c r^inf r* \, in /* Vv./v= c /*v rf r*t 
t = c r^ r = c r* r =c f * f =c r^ 

Only the fourth rule is different from the rules of = and refers directly to divergence. 

The classical-style version of weak bisimilarity, = c , is stronger than the constructive-style version, 
=. The converse is only true classically. 

Lemma 3.4 For any r and r*, if r = c r*, then r = r*. Classically, for any r and r*, ifr = r*, then r = c r*. 

We insist on the use constructive-style weak bisimilarity, =, in the constructive setting, because the 
classical-style notion fails to enjoy some fundamental properties constructively. 

Lemma 3.5 Classical-style weak bisimilarity is a setoid predicate. Classically, it is also an equivalence 
weaker than strong bisimilarity. 

Proof We only prove that = c is an equivalence. Reflexivity: We prove that for any r, r = c r by coin- 
duction. Classically, we have Vro. (3r . ro | r ) V ro t- Should rf hold, we immediately conclude r = c r. 
Suppose there exists r 1 such that r \. r'. Moreover suppose r 1 = in f for some /. The coinduction hy- 
pothesis gives us that for any v, f v = c f v, from which r = c r follows. The other cases, i.e., when 
r' = out v r" for some v and r" or r' = ret a for some a, are similar. Symmetry: We prove constructively 
that for any r and r', if r = c r 1 then r 1 = c r by coinduction and inversion on r = c r'. Transitivity: We prove 
constructively that for any r, r 1 and r", if r = c r' and r 1 = c r" then r = c r" by coinduction and inversion 
on r = c r' and r' = c r". □ 
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Constructively, it is not possible to show classical-style weak bisimilarity reflexive and hence we 
cannot show any two strong bisimilar resumptions classical-style weakly bisimilar. 

A simple example of a resumption r not classical-style weakly bisimilar to itself constructively is 
given by any search process that is classically total, but cannot be proved terminating constructively, 
since no bound on the search can be given. By definition, a resumption can only be classical-style weakly 
bisimilar to another if it terminates or diverges. Constructively, the resumption r is only nondiverging, 
we cannot show it terminating. 

4 Big-Step Semantics 

We now proceed to a first, basic (delayful) big-step operational semantics for our reactive While in terms 
of delayful resumptions. Evaluation (s, g) => r, expressing that running a statement s from a state a 
produces a resumption r, is defined coinductively by the rules in Figure [TJ The rules for sequence and 
while implement the necessary sequencing with the help of extended evaluation (s,r) => r', expressing 
that running a statement s from the last state (if it exists) of an already accumulated resumption r results 
in a total resumption r'. Extended evaluation is also defined coinductively, as the coinductive prefix 
closure of evaluation. 

Input and output statements produce corresponding resumptions that perform input or output actions 
and terminate thereafter. We consider assignments and testing of guards of if- and while-statements to 
constitute internal actions, observable as delays. This way we avoid introducing semantic anomalies, 
by making sure that any while-loop always progresses. But this choice also ensures that evaluation is 
total — as we should expect. Given that it is deterministic as we can equivalently turn our relational 
big-step semantics into a functional one: the unique resumption for a given configuration (statement- 
state pair) is definable by corecursionJl This semantics is a straightforward adaptation of the trace-based 
coinductive big-step semantics of non-interactive While from our previous work [17], where the details 
can be found and where we motivate all our design choices (e.g., why skip takes no time whereas the 
boolean guards do; we argue that our design is canonical). 

Lemma 4.1 Evaluation is a setoid predicate. It is total and deterministic up to bisimilarity. 

Let us look at some examples. We have (while true do skip, a) => _L for any a. I.e., while true do skip 
silently diverges. We also have (input x; while true do (output x;x := x + 1), a) =4> in (Xn. up n) where 
up is defined corecursively by up n = 8 (out n (8 (up (n + 1))))- I.e., the statement counts up from the 
given input n. The two delays around every output action account for the internal actions of the assign- 
ment and testing of the boolean guard. An interactive adder takes two inputs and outputs their sum, and 
repeats this process, that is, we have (while true do (input x; input j;output (x + y)),o) => sum where 
sum is defined cocursively by sum = 8 (in (Xm. in (Xn. out (m + n) sum))). 

Weak bisimilarity is useful for reasoning about soundness of program transformations, where we ac- 
cept that transformations may change the timing of a resumption. For instance, we have (while true do (z := 
x;output z),o) =>• rep (g x), where rep is defined corecursively by rep n = 8 8 (out n (rep n)), and 
(z := x; while true do output z,g) 8 (rep' (a x)), where rep 1 is defined corecursively by rep' n = 
8 (out n (rep' n)), with rep n = rep' n. The latter resumption is faster than the former, but they are weakly 

7 Note that the external nondeterminism resulting from input actions is encapsulated in resumptions. 

8 This aspect makes our big-step operational semantics very close in spirit to denotational semantics, specifically, denota- 
tional semantics in terms of Kleisli categories, here, the Kleisli category of a resumptions monad. 
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(x := e,o) => 8 (ret o[x [e]ff]) (skip, a) =>■ rer a (so;si,ct) =>■ 

e \= G (s,,8 (ret o)) => r e\^G (sf,8 (ret a)) => r 



(if e then s r else Sf,o) r (if e then s, else s/, tr) => r 
e\=a (s t ,8(ret a)) => r (while e do s t ,r) => r' e^=a 



(while e do s t , o") =>• r' (while e do s t , o~) =>■ 5 (ret O") 



(input x, o") ;n (Av.ref a[x h-> v]) 



(output e, o" 



) => out (\e\a) (ret a) 



(s,ret a) ^ r 



(s,a)=>r 



Vv.(s,/v)=»/'v 
(s,in f) Ainf 



(s,out vr)4 out v r' 




(s, 8 r) => 8 r' 




Figure 1: Basic (delayful) big-step semantics 



bisimilar. In fact, we can prove while e do (z :=x;s) and z :=x; while e do s to be weakly bisimilar when- 
ever e is true of the initial state and s does not change x. Here, the latter statement is obtained from the 
former by loop-invariant code motion, a well-known compiler optimization; the optimization preserves 
the observable behaviour of the source statement, irrespective of its termination behaviour, which it must 
respect as well. We note that output 1 is not observationally equivalent to (while true do skip);output 1. 
More importantly, output 1 is not observationally equivalent to output 1; (while true do skip), since our 
weak bisimilarity is termination-sensitive. Of course, we can deal with more interesting program equiv- 
alences, such as the equivalence of mult = while true do (input x; input y;z, := 0; while x ^ do (z, := 
z + y;x := x — l);output z) and mult_opt = while true do (input x; input y; if x > then output x * 
y else (while true do skip)), slow and fast interactive multipliers, which silently diverge when given a 
negative first operand. 

5 Small-Step Semantics 

In this section, we introduce an equivalent small-step semantics and define weak bisimilarity of configu- 
rations (statement-state pairs) in terms of it. We then prove two configurations to be weakly bisimilar if 
and only if their evaluations produce weakly bisimilar resumptions. 

A configuration (s, a) is a pair of a statement and state. Labelled configurations c : Iconf are defined 



A terminality predicate/one-step reduction relation — > is defined in Figure|2](top half). If c = ret a, 
then the proposition (s,o) — > c means that the configuration (s,o) has terminated at state a. In other 
cases, it corresponds to a labelled transition: if c = in s' g, we take an input v and evolve to a configuration 
(s',gv); if c = out_ v s' a', we output v and evolve to (s', a'); if c = 5 s' a', the configuration (s, a) evolves 
to a configuration (s', a') in a delay step. We have chosen to label configurations rather than transitions 
so that labelled configurations become "trunks" of resumptions. 

9 The definition is non-recursive, but we pretend that it is inductive, as we also do in Coq. 




ret o~ : Iconf 



s : state 



s : stmt g:Int-+ state v : [ nt s : stmt a : state s : stmt a : state 
insg: Iconf out v s (J : Iconf 5sff: Iconf 



K. Nakata & T. Uustalu 



65 



(x:=e,a) -*8 skip feja]) (skip, a) ma 

(so, a) ->■ ret a' (s\,a')-*c (so,<y)^ins' f (so, a) -toutvs' a' (so, a) -s> 8 s' a' 

(so;si,o)-tc (s ;si,a) -tin (s' \S]) f (s ;si,a) ^ outv (s' ;si) a' (s ;si,a) -> 8 (s' ;si) a' 

a\=e a^=e 
(if e then s t else Sf, a) — >• 5 s, a (if e then else s/,ff)->5s/(? 
(J \= e 0^=e 
(while e do i;, a) — > 5 (i f ; while e do s t ) o~ (while e do s t , o~) — > 5 skip o~ 

(input jc, o") — ► /n skip (Av.afjc i-> v]) (output e, cr) — > out (\e\o) skip o~ 

(s,a)^reta' (s,a) -> 5/ a' (s',o-') w r 
(if, O") ~» ref a' (i, ff)^5r 

(s, o") — ► /n s' g Wv.(s' ,g v) f v (s, o") — > out v s 1 o 1 (s' , cr') ~-> r 
(s, o~) in f (s, o") out v r 

Figure 2: Small-step semantics 

Weak bisimilarity of two configurations is defined in terms of terminality/one-step reduction. Again, 
convergence, (s, a) J, c, states that either (s,a) terminates or performs an observable action in a finite 
number of steps. It is defined inductively by 

(s,a) -> refff' (s, a) ->• out v s' a' (s,a)^-ins'g (s,o) -> 8_s' o' (s',a')lc 
(s, a) I ret a' (s,o) -Igutv s' a' (s,a) \.ins' g (s,a)\.c 

(We overload the same notations for resumptions and configurations without ambiguity.) Weak bisimi- 
larity on configurations is defined coinductively by 

(s, a) I ret a' (s*,o*) iret a' 
(s,a) = (s*,ct») 
(s,a)lins'g (s*,G*) imA 8* Vv-C^g v) = v) 
(s,a) = (sf*,a») 

(s,a) lout v (s',a') (s*,o*) jqutv (s',a') ~ (s'*,oj) 

(s,a) = (s*,ct*) 
(s,a)^8s'a' (i„<y,)-4g<^ (^gQ g (^o^) 

(5,ff) = 

Two configurations are weakly bisimilar if and only if their evaluations yield weakly bisimilar re- 
sumptions. 

Lemma 5.1 For any s,s^,o and a*, (s,o) = (5*, (7*) iff there exist r and r. ¥ such that (s,o) =>- r and 
(s* , a*) =4> and r = r*. 

The evaluation relation of the small-step semantics is defined in Figure [2] (bottom half). It is the 
terminal many-step reduction relation, defined coinductively. The proposition (s, a) ~^ r means that 
running s from the state a produces the resumption r. 

The big-step and small-step semantics are equivalent. 

Proposition 5.1 For any s, a and r, (s, a) =^ r iff (s, a) ~-> r. 
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6 Delay-Free Big-Step Semantics 

So far we explicitly dealt with delay steps in a fully general and constructive manner. However, it is 
also possible to define big-step semantics in terms of resumptions without delay steps, by collapsing 
them on the fly, if they come in finite sequences. In this section, we define a delay-free semantics for 
configurations that lead to responsive resumptions. 

We define delay-free resumptions, r : res v , and their (strong) bisimilarity coinductively by 



o~ : state 



flints res r V :Int r: res, 



ret r o~ : res r in Y f : res r out Y v r : res r 
Vv./ v pa/* v r « u 

ret r a ~ ret x o~ in r f m in r /* out r v r « out t v 

A responsive delayful resumption r : res can be normalized into a delay-free resumption by collapsing 
the finite sequences of delay steps it has between observable actions. We define normalization, norm : (r : 
res) — > r 4J- — > rej r , and embedding of delay-free resumptions into delayful resumptions, emb : res r — > res 
by corecursion. In the definition of norm, we examine the proof of rJJ., i.e., r's responsiveness. 

norm r (resp-ret a _) = ret T (J emb (ret r a) = ret O 

norm r (resp-in /_ k) = in t (Av.no rm (/ v) (k v)) emb (in r f) — in (Xv. emb (f v)) 
norm r (resp-out v r' _ n) = out r v (norm r 1 h) emb(out r vr) = out v (emb r) 

A delayful resumption is weakly bisimilar to a delay-free one if and only if it is responsive and its 
normal form is strongly bisimilar to the same. 

Lemma 6.1 For any r : res and : res r , r = emb r* iff norm r h~ r*for some h : rJJ-. 

(The convergence proofs of a resumption are strong bisimilar, so h is unique up to that extent.) 

Corollary 6.1 (i) For any r : res, h : r JJ-, r = emb (norm r h). (ii) For any r, h: rij. and r. ¥ , : r* J|> r — r * 
iff norm r /j ~ norm r* /j*. 

In Figure |3l we define the delay-free big-step semantics for responsive programs. Here we have 
an inductive definition of a parameterized evaluation relation =>\,(X) defined in terms of X, for any 
relation X, nested into a coinductive definition of an extended evaluation relation defined in terms of 
=^4(=>). Finally, the actual evaluation relation => r of interest is obtained by instantiating =>J, at Since 
we collapse delay-steps on the fly, an assignment immediately terminates at the updated state. Likewise, 
testing the guard of a condition or a while-loop takes no time. The crucial rules are those for sequence 
and while-loop. If the first statement of a sequence or the body of a while-loop terminate silently, the 
second statement or the new iteration of the loop are run using the inductive evaluation. The coinductive 
extended evaluation is used only if the first statement or the body perform at least one input or output 
action. 

This way, we make sure that only a finite number of delay steps may be collapsed between two 
observable actions, while allowing for diverging runs which perform input and output every now and 
then. Indeed, if we replaced the while-ret rule with 

e |= a (s,,a)^i(X)ret x a 1 (while e do s,,ret r a') ^ r' 
(while e do s t , a) =>l(X) r' 



we would obtain semantic anomalies. E.g., (while true do skip, a) => r r would be derived for any r : res T . 
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(s , P) =>!(*) ret v o' (si , oQ =>|(X) r 

(x := e,a) =>i(X) ret r (<j[x ^ {ejo}) (skip, a) =>-l(X) ret r a (so',Si, a) =K|_(X) r 

{s Q ,a)^i(X)in r f \/ v .( Sl ,fv)Xfv (s Q ,a)^i(X)out I vr (s u r)Xr' 
(s ; si , a) =H(X) m r /' (so;*i , o) =>i{X) out, v r 1 

e^a {s tl o)^j{X)r e^a fo.g) =>|(X)r 

(if e then s t else st, O") =K|,(X) r (if e then S; else Sf, a) =>-^(X) r 
e |= <T (s f ,a) =^4,(X)re? r a' (while e do 5,, a') =>i(X) r 
(while e do s t ,o) =>].(X) r 

e \= G (s t ,o) =>l(X) in r f Vv. (while e do s t ,fv)Xf'v e \= o~ (st,o)=>\.{X)out T v r (whilee do s t ,r)Xr' 
(while e do s t , O") =>|(X) /n r /' (while <? do s t ,o) =>4_(X) oMf r v r 1 

e_y~o_ 

(while e do s t , a) =^-J,(X) ret r a 
(\nputx,o)=^l(X)in r (Xv.ret T o[x*-*v]) (output e, a) =>l(X) out x ([e]a) (ret r a) 

(i,(T)^(X)r Vv.(s,/v)4/'v for) 4-^ 

(s, ref r ff)4>r (s, m r /) 4 ;n r /' (s, oMf r v r) => out r v r 1 

(s,a)=h-r 

Figure 3: Delay-free big-step semantics 

Coming back to the examples of the previous section, we have (input x; while true do (output x;x := 
x + I), a) =$- T in (An. up r n) where up r is defined corecursively by up r n = out x n (up r (n+ 1)). We also 
have (while true do z :=x; output z, o) =^> r rep r (ox) and (z :=x; while true do output z, a) => re/?,, (a x) 
where rep r is defined corecursively by rep r n = out r n (rep r n). Since the delay steps are collapsed on the 
fly in the delay-free semantics, the two statements produce the same, i.e., strongly bisimilar, (delay-free) 
resumptions. The delay-free semantics does not account for (i.e., does not assign a resumption to) non- 
responsive configurations, such as while true do skip and the interactive multipliers from the previous 
section (since they diverge given a negative input for the first operand), with any initial state. 

We state adequacy of the delay-free semantics by relating it to the delayful semantics of Section H] 
Namely, for configurations leading to responsive resumptions they agree. 

Proposition 6.1 (Soundness) For any s, o, r : res r , if (s,o) =^ r r then there exists r' : res such that 
(s, <j) =^ r' and emb r = r'. 

Proposition 6.2 (Completeness) For any s, o, r: res and h : rJJ-, if (s, a) => r, then (s, a) =^ T norm r h. 

The proofs are omitted due to the space limitation. They are nontrivial and the details can be found 
in the accompanying Coq development. Below we demonstrate the key proof technique on an example. 

Consider the statement count = while true do (if i > then i ;= i— 1 else (output x;x :=x+l;i := 
x)). It counts up from 0, so we should have (count, a) =^ r up r for an initial state a that maps x and i 
to 0. We need coinduction since count performs outputs infinitely often; we also need induction, nested 
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into coinduction, since the loop silently iterates n times each time before outputting n. Note that the 
latency is finite but unbounded. 

We cannot perform induction inside coinduction naively That would be rejected by Coq's syntactic 
guardedness checker, which is there to ensure productivity of coinduction. Mendler-style coinduction 
comes to rescue. Let (s, r) R r' be a relation on pairs (s,r) of a statement and a resumption and resump- 
tions r' , defined inductively by 

(s,r)Rr l (s,o)=>l(R)r 
(count, ret t <j[x t— > n,i i— > n]) R up r n (s,out r v r) R out v v r' (s,ret r O") R r 

The key fact is that R is stronger than =4> (Lemma loTBl below). 
We first prove that is monotone by induction. 

Lemma 6.2 For any X, Y, s, a and r such that X C.Y, if (s, a) =>|(X) r, then (s, a) =>^.(Y) r. 

The following two lemmata are proved by straightforward application of the rules in Figure [3] 

Lemma 6.3 For any n, (if i > then i := i — 1 else (output x;x :=x+l; i :=x),g[x >->•«, 0])=>l(R) 
outf n (ret T (j[x t n + 1, i i— > n + 1]). 

Lemma 6.4 For any n and m, (if i > then i := i — 1 else (output x;x := x + l;i := x), o[x \— > n, i i— > 

m + 1]) =?X{R) ret v a[x i— >• n, i i— >■ m]. 

The next lemma is proved by induction on m, using the two lemmata just proved. 

Lemma 6.5 For any n and m, (count, o[x i— y n, i i-> m]) =>j.(7?) owf r « (wp r (n + 1)). 

Corollary 6.2 For any «, (count, o[x i->B,ii4n]) =^4-(^) "Pr 

We can now prove that /? is stronger than =4> by coinduction and inversion on (s,r) R r' . Here is the 
crux: corollary l6.2l together with the coinduction hypothesis gives (count, ret T o[x t-tn,i i-)- «]) w/? r «, 
and the use of the coinduction hypothesis is properly guarded. 

Lemma 6.6 For any s, r and r 1 , if (s, r) R r 1 then (s, r) =4> r 1 

The main proposition follows from corollary l6.2l lemma l6T6l and the monotonicity of =K|- demma l6T2l . 

Proposition 6.3 For any n, (count, o[x \-t n, i i->- n]) => T upr n. 

7 Classical-Style Big-Step Semantics 

In Section |2j we augmented the definition of responsiveness with a divergence option to obtain a concept 
of committedness, which is a classically tautological predicate. Similarly, we can obtain a delay-free 
semantics for committed configurations from the delay-free semantics for responsive configurations of 
the previous section. To do so, we extend the definition of delay-free resumptions with a "black hole" 
constructor, •, representing silent divergence, arriving at classical-style resumptions, and adjust the defi- 
nition of (strong) bisimilarity: 

q : state f '■ Int ~^ res c r : res c 
ret c (7 : res c in c f : res c out c v r : res c • : res c 

Vv-/ v~f* v r«r* 
ret c (7 ks ret c O in c f pa in c /* out c vr« out c vr, • » • 
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Given a proof h : r§ of committedness of a delayful resumption r : res, we can normalize r into 
a classical resumption by collapsing the finite delays between observable actions and sending silent 
divergence into the black hole. 



Again, a delayful resumption is weakly bisimilar to a classical-style one if and only if it is committed 
and its normal form is strongly bisimilar. 

Lemma 7.1 For any r : res and : res c , r = emb r* iff norm r ft ~ r*for some h : r^. 

In Figure HI we define the classical-style semantics in terms of classical-style resumptions. We have 
an inductive parameterized evaluation relation =k|,(X), defined in terms of X, for any relation X, for 
convergent runs; its inference rules are the same as those in the previous section. But we also have a 
coinductive parameterized evaluation =>y(X), again defined in terms of X, for any relation X, for silently 
diverging runs, so that (s, o) =>y(=>) expresses that running a statement s from a state a diverges without 
performing input or output. It uses the inductive evaluation in case the first statement of a sequence or 
the first iteration of the body of a while-loop silently terminates, but the whole sequence or while-loop 
silently diverges. Then we define coinductively an extended evaluation relation =>, in terms of these two 
evaluation relations, nesting the latter into the former. Finally, we instantiate both =>j. an d =>t at to 
obtain the "real" evaluation relation => c . Note that, to derive an evaluation proposition in this semantics, 
one has to decide upfront whether inductive or coinductive evaluation should be used — a decision that 
can be made classically, but not constructively. 

The classical-style semantics is adequate wrt. the basic semantics of Section @] 

Proposition 7.1 (Soundness) For any s, o and r : res c , if (s, a) =4> c r, then there exists r' : res such that 
(s, a) =^ r' and emb r = r'. 

Proposition 7.2 (Completeness) For any s, a and r : res and h : rty, if (s,a) =>■ r, then (s,o) => c 
norm r h. 

Corollary 7.1 Classically, for any s, o and r : res, if (s, a) r, then there exists r 1 : res c such that 
(s, a) =^ c r' and r = emb r 1 . 

The classical-style semantics is more expressive than responsive semantics, since it offers the option 
of "detected" divergence. In particular we have (while true do skip, a) =^ c • and our interactive multipli- 
ers are assigned a classical-style resumption mult defined corecursively by mult = in c (Xm. in c (An. if m> 
then out c (m*n) mult else •)); i.e., we have (mult, a) ^> c mult and (mult_opt,a) ^> c mult. 



Formalized semantics are an important ingredient in the trusted computing base of certified compilers. 
Proof assistants, like Coq, are a good tool for such formalization projects, as both the object semantics 
of interest and its metatheory can be developed in the same framework. For introductions, see (H. 

To account for nontermination or silent divergence properly in a big-step semantics is nontrivial 
already for languages without interactive I/O. Leroy and Grail [ 14] introduced two big-step semantics 



norm r (comm-ret a _) 
norm r (comm-in / _ k) 
norm r (comm-out v r 1 _ h) 
norm r (comm-div _) 



ret c (7 emb {ret c o) 

in c (Xv.norm (/ v) (k v)) emb (in c f) 
out c v (norm r 1 h) emb (out c v r) 

• emb • 



ret (7 

in (Xv. emb (/ v)) 
out v (emb r) 
8 (emb •) 
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(so, o) ^I(X) ret c & (£i , oQ r 

(x:=e,o)=>l(X)ret c He]) (skip, a) =>l(X) ret c a (so;s\,o)=^l(X)r 

(s Q ,a)=>i(X)in c f \Jv.(s l Jv)Xf v (s ,a)^i(X)out c vr (s u r)Xr' 
(s ;s u a)^i(X)in c f (s ;s u a)^i(X)out c v r 1 

e^a (s t ,a)^j(X)r e\f=G (s f ,a)^j(X)r 

(if e then s t else s*, a) =>l(X) r (if e then s t else Sf, a) =>\.(X) r 
e\=a (s t ,a)=>{(X)ret c a' (while e do s,,a')^] r (X)r 
(while e do s t ,o) =>l(X) r 

e \= O (s t , a) =>l(X) in c f Vv. (while e do s t ,fv)Xf'v e\=G (s t ,o) =>\.{X) out c v r (while e do s t ,r)X r 1 
(while e do s r ,tr) =>J,(X) /n c /' (while e do s r , a) =4>4,(X) oMf c v r' 

e^a 

(while e do i f , a) ^l(X)ret c <J 

(input x,G)=$i(X)in c (Xv.ret c a[xn> v]) (output e, a) =>|(X) oMf c (\e\a) (ret c a) 
(i ,g) ^t£) (so, a) =>|(X) refc £ (j t , £) =^tpQ 

(s ;si,<r) =>t(*) (so;si,<r) =MW 

eh^ (s„g)=>tP0 e^a (s f ,a)^t(X) 

(if <? then s t else s/, a) =>tP0 (if e then s t else Sf, a) =»tP0 
e (= (T (if, a) =>-tP0 «h ff (if,a)^>|(X)ref c a' (while e do s,, a') =4>t( x ) 
(while e do s,,a) =>-t(X) (while e do s,,a) =>tP0 

XC^> (s,o)=>l(X)r Kj- (^gj^tPQ Vv.(v,/v)^/' v M 

(s,ret c 0~) r (s,ret c a) => • (s,in c /) =^ *«c /' (s,out c v r) out c v r 1 (<$,•) • 

(j,g) =>|(4>)r (j,g) =>t(=») 

Figure 4: Classical-style big-step semantics 

for lambda-calculus. One is classical in spirit, with two evaluation relations, inductive and coinductive, 
for terminating and diverging runs, and relies on decidability between termination and divergence. The 
other, with a single coinductive evaluation relation, is essentially suited for constructive reasoning, but 
contains a semantic anomaly (a function can continue reducing after the argument diverges), which 
results from its ability to collapse an infinite sequence of internal actions (contraction steps). 

In our work lfT7l on While with nontermination, we developed a trace-based coinductive big-step 
semantics where traces were non-empty colists of intermediate states, agreeing with the very standard 
coinductive small-step trace-based semantics. This semantics relied on traces being a monad; a central 
component in the definition was an extended evaluation relation, corresponding to the Kleisli extension 
of evaluation. Capretta [4] studied constructive denotational semantics of nontermination as the Kleisli 
semantics for the delayed state monad, corresponding to hiding the intermediate states in the trace monad 
as internal actions and quotienting by termination-sensitive weak bisimilarity. Rutten |2D carried out a 
similar project in classical set theory where the quotient is the state space extended with an extra element 
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for nontermination. 

Operational semantics of interactive programs is most often described in the small-step style where 
it amounts to a labelled transition system. Especially, this is the dominating approach in process calculi. 
Big-step semantics is closer to denotational semantics. In this field, resumption-based descriptions go 
back to Plotkin ll20ll . Gunter et al. iPTO and Cenciarelli and Moggi [5]. Resumptions are a monad and 
resumptions-based denotational semantics is a Kleisli semantics. Our big-step semantics are directly 
inspired by this approach, except that we work in a constructive setting and must take extra care to avoid 
the need to invoke classical principles where they are dispensable. 

We are not aware of many other works on constructive semantics of interactive I/O. But similar 
in its spirit to ours is the work of Hancock et al. iTTTTl on stream processors and the stream functions 
that these induce by "eating". Stream processors are like our delay-free resumptions, except that the 
authors emphasize parallel composition of stream processors (one processor's output becomes another 
processor's input) and, for this to be well-defined, a stream processor must not terminate and may only 
do a finite number of input actions consecutively. Hancock et al. JH also characterize realizable stream 
functions. In a precursor work, Hancock and Setzer [12] studied a model of interaction where a client 
sends a server commands and expects responses. 

Weak bisimilarity tends to be defined termination-insensitively, identifying termination and diver- 
gence. In particular, this is also the approach of CCS [16]. Termination-sensitive weak bisimilarity has 
been considered by Bergstra, Klop and Olderog [1], Kucera and Mayr |[T3l and Bohannon et al. 0, but 
only in what we call the classical-style version, relying on decisions between convergence and diver- 
gence. (The weak bisimilarity of Capretta 0] is termination-sensitive and tailored for constructive rea- 
soning, but restricted to behaviours without I/O. Weak bisimilarity also motivated the study of Danielsson 
and Altenkirch [6] on mixed induction-coinduction.) 

Mixed inductive-coinductive definitions in the form of induction nested into coinduction 
{vX.jxY.F (X,Y) or, more generally, vX.G(}lY.F (X,Y),X)) seem to be quite fundamental in appli- 
cations (e.g., the stream processors of Hancock et al., our delay-free semantics). Danielsson and Al- 
tenkirch (6) 13 argue for making this mix the basic form of inductive-coinductive definitions in the 
dependently-typed programming language Agda. Unfortunately, nestings the other way around (defini- 
tions jiX.vY.F (X,Y)) seem to become difficult or impossible to code. With our approach, coinduction 
nested into induction is handled symmetrically to induction nested into coinduction |fT9l . 

Mendler-style (co)recursion originates from Mendler [15]. It uses that a monotone (co)inductive 
definition is equivalent to a positive one, via a syntactic left (right) Kan extension along identity (instead 
of fxX.FX one works with /J.X.3Y. (Y — > X) — > FY). We exploited this fact to enable Coq's guarded 
corecursion for a coinductive definition with a nested inductive definition, at the price of impredicativity. 

We have previously developed and formalized a Hoare logic for the trace-based semantics of While 
with nontermination fl8l . A similar enterprise should be possible for resumptions, weak bisimilarity and 
While with interactive I/O. 

9 Conclusion 

We have developed a constructive treatment of resumption-based big-step semantics of While with in- 
teractive I/O. We have devised constructive-style definitions of important concepts on resumptions such 
as termination-sensitive weak bisimilarity and responsiveness, and devised two variations of delay-free 
big-step semantics for programs that produce responsive and committed resumptions, respectively. Re- 
sponsiveness is for interactive computation what termination is for noninteractive computation. And 
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likewise, committedness compares to a decided domain of definedness. Indeed, all three variations of 
big-step semantics for While with interactive I/O have counterparts in big-step semantics for noninter- 
active While (see Appendix). Mathematically, we find it reassuring that observations made for a more 
simpler noninteractive While naturally scale to a more involved language with interactive I/O. The cen- 
tral ideas are a concept of termination-sensitive weak bisimilarity tailored for constructive reasoning and 
the organization of evaluation in the delay-free semantics as an induction nested into coinduction. 

Technically, we have carried out an advanced exercise in programming and reasoning with mixed 
induction and coinduction, which we have also formalized in Coq. The challenges in this exercise were 
both mathematical and tool-related (Coq-specific). We deem that the mathematical part was more in- 
teresting and important. The main new aspect in comparison to our earlier development of coinductive 
trace-based big-step semantics for noninteractive While was the need to deal with definitions of pred- 
icates that nest induction into coinduction — a relatively unexplored area in type theory. In Coq, we 
formalized them by parameterizing the inductive definition and converting the coinductive definition 
into Mendler-like format. Apparently, this technique is novel for the Coq community. 

As future work, we would like to scale our development to concurrency. 
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A Resumptions, Weak Bisimilarity, Delayful, Delay-Free and Classical- 
Style Big-step Semantics for While 

The notions of resumptions and weak bisimilarity and the evaluation relations in the three big-step se- 
mantics shown of the main text are fairly involved, because of the amount of detail. Therefore, we also 
spell out what they specialize (or degenerate) to in the case of ordinary non-interactive While, to better 
highlight the phenomena that arise even in the absence of interaction. 

A.l Resumptions, Bisimilarity, Weak Bisimilarity 

Delayful resumptions, with their strong bisimilarity, specialize to delayed states r : res a la Capretta 0] 
defined coinductively. 



q : state r : res 
ret <J : res 8 r : res 



r w r* 

ret <J ss ret <J 8 r « 8 r* 
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Convergence and (silent) divergence are defined inductively resp. coinductively; convergence reduces to 
termination at a final state. 

rjr' rf 
ret O I ret O 8 r | r 1 8 r^ 

Responsiveness reduces to termination. Commitedness becomes decidability between and termination 
and divergence. Commitedness is tautologically true only classically. 

Weak bisimilarity is defined in terms of convergence coinductively exactly as Capretta [4] did. 

r J, ret o~ 4- ret o~ r = r* 
r = r* 8 r = 5 r* 

Any terminating delayed state can be normalized into a state. Any decided delayed state can be normal- 
ized into a choice between a state or a special divergence token. 

A.2 Delayful Semantics 

In the delayful big-step semantics, evaluation and extended evaluation are defined mutually coinductively 
as follows. 

(so,o)^r (ti,r)4r' 

(x := e,o) => 8 (ret o[x H- [e]ff]) (skip, a) => ref a (sfoJ^iiC) r' 

e|=tT (if, 5 (ref tr)) => r e^a (sj,8 (ret a)) 4> r 
(if e then s t else s/ , a) => r (if <? then s r else S/,<t) ==> r 
e \= o~ (s u 8(ret a)) r (while e do s u r) 4> r' <? ^= o~ 

(while e do if , o") r' (while e do s f , a) => 8 (ret o~) 

(s,C7)=^r (s,r)^r' 

(s,reta)^-r (s, <5 r) ^> <5 r' 

We have previously ifTTl conducted a thorough study of a variation of this semantics (with intermediate 
states instead of delays), explaining the design considerations in great detail. We have also 1 18 ] developed 
a Hoare logic for this semantics. 

A.3 Delay-Free Semantics 

Delay-free resumptions are the same as states. 

In the delay-free semantics, there is one inductive evaluation relation for terminating configurations. 
There is no need for a separate extended evaluation relation (which would coincide with evaluation 
anyhow, since resumptions and states are the same thing) and no need to parameterize the evaluation 
relation. 

(s Q ,a)^la' (si,o-')=no-" 

(x:= e,o)=>lo[x>-^ {ejo] (skip, cr) ^>1<j (sq;s\,o)=>Io" 
eh°~ (s t ,cr)=>ia' ey=o (s f ,o)=>lo' 

(if e then s t else Sf,o) =>4.o~' (if e then s t else Sf,a) =>4.o~' 
e\=a (s t ,a) =$>l<y' (while e do s,,o') =^|a" e ty= a 

(while e do if , o~) =>4o"" (while e do s, , a) =>4.o~ 
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The delay-free semantics agrees with the delayful semantics for terminating delayed states. 

It is the textbook big-step semantics of While, which accounts for terminating configurations and 
assigns no evaluation result to diverging configurations. 

A.4 Classical- Style Semantics 

A classical-style resumption is a state or the special token • for divergence. 

o" : state 
ret c o~ : res c • : res c 

The classical-style semantics has an inductively defined terminating evaluation relation (defined ex- 
actly as that of the delay-free semantics) and a coinductively defined diverging evaluation relation. The 
latter depends on the former, but not the other way around. There is no need for an extended evaluation 
relation. 

(sQ : a)^ia' (>!,<?') =kIct" 

(x:=e,o)=^lo[x*-^ [e]a] (skip, a) a (sq;si,o) =>Ig" 

e\=a (s t ,a)=>l& e{£a (s f ,a)=^la' 

(if e then s t else Sf,o) =>\.o' (if e then s, else Sf,o) =>4.0~' 
e\=a (s,,o)=>lo' (while e do s t , a') =>l a" e^=a 

(while e do s t ,o) =K|,cr" (while e do s,,a) =>4.o~ 

(sp, a) =>f (sq, a) =>|<t' (s u a')^t e^a {s,,a)=>t e ^ g (s f ,o)=>t 

(sq;si,g) =>t (so', s i,o) =>t (if e then s t else s/, O") =>t (if e then ^ else =>t 

e |= a (st,o)=*\ e\=a (s t ,o)=>lo' (while e do 5,, a') =s>t 

(while e do s f , a) =>-t (while e do s f ,o~) =>t 

(5, a) =H ref c a' (j, a) =^t 
(s,(7)=>c(r' (s,ff)=> c » 

The classical-style semantics agrees with the delayful semantics for decided delayed states (classi- 
cally, any delayed state is decided). 

A semantics in this spirit (with separate convergent and divergent evaluation relations) was proposed 
for untyped lambda calculus by Leroy and Grail iTHl . 

The delayful semantics (together with the identification of weakly bisimilar delayed states) and the 
classical-style semantics have the same purposes, but the delayful semantics is better behaved from the 
constructive point-of-view. As a practical consequence, it has the advantage that the evaluation relation 
can be turned into a function (highly desirable, if one wants to be able to directly execute the big-step 
semantics). This is not possible with the classical-style semantics, as one would have to be able to decide 
whether a configuration terminates before actually running it. 



